UK Data Retention and Investigatory Powers Bill
Peter Fairbrother
zenadsl6186 at zen.co.uk
Fri Jul 11 17:23:31 BST 2014
On 11/07/14 14:51, Caspar Bowden (lists) wrote:
> On 07/11/14 15:31, Ian Batten wrote:
>> On 10 Jul 2014, at 21:14, Roland Perry
>> <lists at internetpolicyagency.com> wrote:
>>
>>> In article
>>> <CAK0b=2cu=0GrxSXoA8BedTPfseu0dBAv+qBxmOENd+vgYD17Qw at mail.gmail.com>,
>>> Tony Naggs <tony.naggs at googlemail.com> writes
>>>> I'm not really clear why a law change is required for communications
>>>> data to be held for 12 months. Probably most businesses will want to
>>>> hold this data for a year in order to address billing disputes & such
>>> Very few ISPs produce itemised bills saying who you emailed and when,
>>> or listing which web pages you went to in order to use up your
>>> 1GB/month.
>> I still don't follow (either technically or legally) on what basis
>> ISPs will be able to retain logs of which websites you visited.
>
> Up until now, I think the 2003 Code of Practice on ATCSA Retention - it
> is still in force
>
> DRIP 1(2)c now provides compulsion, of what was previously "voluntary"
No. DRIP ss.1(2)c only applies to "relevant" comms data, defined in ss.2(1):
""relevant communications data" means communications data of the kind
mentioned in the Schedule to the 2009 Regulations so far as such data
is generated or processed in the United Kingdom by public
telecommunications operators in the process of supplying the
telecommunications services concerned;"
That does *NOT* include website logs. There is a list of the types of
data to which DRIP applies here:
http://www.legislation.gov.uk/ukdsi/2009/9780111473894/schedule
and of course it is exactly the same list as was in force before the
ECtJ judgement.
However, there are a couple of minor caveats: subsections 2(2) and
perhaps 2(3) modify that definition, and I don't know what they actually
mean - anyone?
However, a Notice given under DRIP ss.1(1) can demand that data is kept
forever - there is no time limit on it.
Reading the notes, this may be due to incompetence rather than a power
grab: the notes envisage that some future Regulations to be made under
ss.1(3) will limit retention to 12 months.
However such Regulations do not exist at present [the notes say a draft
of the regs will be available during the bill's passage - anyone know a
link for this please?], and they can't be brought into force until the
next session of Parliament anyway.
Further, there is nothing in DRIP which says they have to make any
Regulations at all, or that those Regulations must include a maximum
period for all retentions - only that any maximum period they do contain
must not exceed 12 months.
I think a small amendment to ss.1(5) might cure this oversight, and not
be too objectionable to anyone - just put the maximum time limit in the
Act rather than in the Regulations (it probably belongs there anyway).
I think the most egregious part (apart from the fact that overall the
Bill does nothing whatsoever to comply with the sentiments behind the
ECtJ judgement), and the part to get most upset about, may well be
section 5.
The notes say "This clause inserts a new subsection into section 2 of
RIPA. New section 2(8A) makes clear that the definition of
“telecommunications service” includes companies who provide
internet-based services, such as webmail."
But it goes a whole lot further than that:
5 Meaning of "telecommunications service"
In section 2 of the Regulation of Investigatory Powers Act 2000 (meaning
of "interception" etc), after subsection (8) insert--
(8A) For the purposes of the definition of "telecommunications service"
in subsection (1), the cases in which a service is to be taken to
consist in the provision of access to, and of facilities for making use
of, a telecommunication system include any case where a service consists
in or includes facilitating the creation, management or storage of
communications transmitted, or that may be transmitted, by means of such
a system.
which as far as I can see *IS* a major landgrab - it includes whole
swathes of things which weren't included before. Like web designers.
for instance.
Or internet reporters.
And a Zillion more.
Again, it may be just incompetence rather than a deliberate landgrab;
but as-is section 5 should most definitely not be included in the Act.
-- Peter Fairbrother
More information about the ukcrypto
mailing list